pub struct Token(/* private fields */);Expand description
A bearer token shared between an agent and the control plane.
Implementations§
Source§impl Token
impl Token
Sourcepub fn new(token: impl Into<String>) -> Self
pub fn new(token: impl Into<String>) -> Self
Wrap a raw token. Surrounding whitespace is trimmed.
Prefer Token::from_env / Token::from_file in production so the secret is not baked into the binary or argv.
Sourcepub fn generate() -> Self
pub fn generate() -> Self
Generate a fresh random token (256 bits of OS entropy, base64url-encoded, prefixed solti_agt_).
This is a pure value: it performs no persistence. The SDK is a library and does not decide where the secret lives: the agent binary owns that (file, vault, k8s secret, …).
Sourcepub fn from_env(var: &str) -> ModelResult<Self>
pub fn from_env(var: &str) -> ModelResult<Self>
Read the token from an environment variable.
Returns ModelError::Invalid if the variable is unset or empty.
Sourcepub fn from_file(path: impl AsRef<Path>) -> ModelResult<Self>
pub fn from_file(path: impl AsRef<Path>) -> ModelResult<Self>
Read the token from a file (trailing newline / whitespace trimmed).
Returns ModelError::Invalid if the file cannot be read or is empty.
Sourcepub fn expose(&self) -> &str
pub fn expose(&self) -> &str
Borrow the raw token for outbound header construction (the sending side, e.g. solti-discover).
Inbound verification should use Token::verify.
Sourcepub fn is_empty(&self) -> bool
pub fn is_empty(&self) -> bool
Whether the token is empty (after trimming) — used by config validation.
Sourcepub fn verify(&self, candidate: &str) -> bool
pub fn verify(&self, candidate: &str) -> bool
Constant-time comparison against a candidate presented by a caller.
Used by the inbound verification path (solti-api), a timing side-channel cannot be used to recover the secret byte-by-byte.
A length mismatch returns false (token length is not secret);
equal-length content comparison stays constant-time.